Sponsored by..

Thursday 28 September 2017

Malware spam: "Emailing: Scan0xxx" from "Sales" delivers Locky or Trickbot

This fake document scan delivers different malware depending on the victim's location:

Subject:       Emailing: Scan0963
From:       "Sales" [sales@victimdomain.tld]
Date:       Thu, September 28, 2017 10:31 am


Your message is ready to be sent with the following file or link
attachments:

Scan0963


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
Attached is a .7z file with a name matching the "Scan" part in the header and body text. MD5s of those seen so far (there may be more):

58B76A9DC942AF73CFADFAF764637A48
627A8A6C3F73365161B94ABF5472E5C0
8927AE38D6F84DF1940D0E13491015F9
1CD93386F4FD7D5771A8119C5E9E6C98
A406E870D20A5913B17C4F9D6D52CDCD
EB087BB59BEED8039FC7B7E48F099E79
1D94DC6ECAED3D33D840E61DDAD7AC07
FDB76F480AF0A8D01DA2E4A3098A549F
320401A216CC7A3BA6B9C12163B3EB60
1AC6D2DA56FAA27C60A22CFD2099435F
1BD79C90F2CC8390170A4D6231282328

Inside is a malicious VBS script (example) which exhibits a curious feature:


If you are in the UK, Australia, Ireland, Belgium or Luxembourg you get one binary [VT 12/64], everyone else gets another [VT 20/64]. My Online Security describes this in more detail - the first group get the Trickbot banking trojan and everyone gets Locky ransomware.

In the samples I saw, the Trickbot download locations were:

autoecole-jeanpierre.com/9hciunery8g?
autoecoleathena.com/9hciunery8g?
conlin-boats.com/9hciunery8g?
flooringforyou.co.uk/9hciunery8g?
fls-portal.co.uk/9hciunery8g?
fmarson.com/9hciunery8g?
freevillemusic.com/9hciunery8g?
geeks-online.de/9hciunery8g?
jakuboweb.com/9hciunery8g?
jaysonmorrison.com/9hciunery8g?
melting-potes.com/9hciunery8g?
sherylbro.net/p66/LUYTbjnrf
camerawind.com/9hciunery8g?


The Locky download locations:

americanbulldogradio.com/LUYTbjnrf?
anarakdesert.com/LUYTbjnrf?
atlantarecyclingcenters.com/LUYTbjnrf?
augustinechua.com/LUYTbjnrf?
classactionlawsuitnewscenter.com/LUYTbjnrf?
davidstephensbanjo.com/LUYTbjnrf?
e-westchesterpropertytax.com/LUYTbjnrf?
felicesfiestas.com.mx/LUYTbjnrf?
financeforautos.com/LUYTbjnrf?
mtblanc-let.co.uk/LUYTbjnrf?
plumanns.com/LUYTbjnrf?
poemsan.info/p66/d8743fgh
asnsport-bg.com/LUYTbjnrf?


There may be other locations too.

The following legitimate services are used for geolocation. They might be worth monitoring:

https://ipinfo.io/json
http://www.geoplugin.net/json.gp
http://freegeoip.net/json/


All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block or strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too.

UPDATE

A more complete list of download locations from a trusted source (thank you!)

ambrogiauto.com/9hciunery8g
autoecoleathena.com/9hciunery8g
autoecoleboisdesroches.com/9hciunery8g
autoecole-jeanpierre.com/9hciunery8g
camerawind.com/9hciunery8g
conlin-boats.com/9hciunery8g
feng-lian.com.tw/9hciunery8g
flooringforyou.co.uk/9hciunery8g
fls-portal.co.uk/9hciunery8g
fmarson.com/9hciunery8g
freevillemusic.com/9hciunery8g
geeks-online.de/9hciunery8g
givensplace.com/9hciunery8g
jakuboweb.com/9hciunery8g
jaysonmorrison.com/9hciunery8g
melting-potes.com/9hciunery8g
patrickreeves.com/9hciunery8g
sherylbro.net/p66/LUYTbjnrf

americanbulldogradio.com/LUYTbjnrf
anarakdesert.com/LUYTbjnrf
asnsport-bg.com/LUYTbjnrf
astilleroscotnsa.com/LUYTbjnrf
atlantarecyclingcenters.com/LUYTbjnrf
augustinechua.com/LUYTbjnrf
classactionlawsuitnewscenter.com/LUYTbjnrf
davidstephensbanjo.com/LUYTbjnrf
essenza.co.id/LUYTbjnrf
evlilikpsikolojisi.com/LUYTbjnrf
e-westchesterpropertytax.com/LUYTbjnrf
felicesfiestas.com.mx/LUYTbjnrf
financeforautos.com/LUYTbjnrf
fincasoroel.es/LUYTbjnrf
kailanisilks.com/LUYTbjnrf
mediatrendsistem.com/LUYTbjnrf
modaintensa.com/LUYTbjnrf
mtblanc-let.co.uk/LUYTbjnrf
plumanns.com/LUYTbjnrf
poemsan.info/p66/d8743fgh

Tuesday 26 September 2017

Malware spam: "AutoPosted PI Notifier"

This spam has a .7z file leading to Locky ransomware.
From:      "AutoPosted PI Notifier" [NoReplyMailbox@redacted.tld]
Subject:      Invoice PIS9344608
Date:      Tue, September 26, 2017 5:29 pm

Please find Invoice PIS9344608 attached.
The number referenced in the spam varies, but attached is a .7z archive file with a matching filename. In turn, this contains one of a number of malicious VBS scripts (like this) that download an executable from one of the following locations (thanks to a trusted source for these):

camerawind.com/jkhguygv73
envirotambang.com/jkhguygv73
fianceevisa101.com/jkhguygv73
fiancevisacover.com/jkhguygv73
financeforautos.com/jkhguygv73
fincasoroel.es/jkhguygv73
fmarson.com/jkhguygv73
formareal.com/jkhguygv73
fwbcondo.com/jkhguygv73
gaestehaus-im-vogelsang.de/jkhguygv73
gbvm.nl/jkhguygv73
geeks-online.de/jkhguygv73
playbrief.info/p66/jkhguygv73

The dropped file currently has a detection rate of 21/63. There are no C2s.

Thursday 21 September 2017

Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment:

Subject:       Invoice RE-2017-09-21-00794
From:       "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk]
Date:       Thu, September 21, 2017 9:21 am
Priority:       Normal

------------- Begin message -------------

Dear customer,

We want to use this opportunity to first say "Thank you very much for your purchase!"

Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace

==



[commMgrHmdToken:EVDOOCETFBECA]

------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we
retain all messages buyers and sellers send through Amazon.co.uk. This includes your
response to the message below. For your protection we recommend that you only
communicate with buyers and sellers using this method.

Important: Amazon.co.uk's A-to-z Guarantee only covers third-party purchases paid
for through our Amazon Payments system via our Shopping Cart or 1-Click. Our
Guarantee does not cover any payments that occur off Amazon.co.uk including wire
transfers, money orders, cash, check, or off-site credit card transactions.

We want you to buy with confidence whenever you purchase products on Amazon.co.uk.
Learn more about Safe Online Shopping
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe
buying guarantee
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=3149571).



[commMgrTok:EVDOOCETFBECA]
Attached is a .7z archive file with a name that matches the one quoted in the subject line. So far I have seen just two versions of this, each containing a malicious script (sample here and here). These scripts have a detection rate of about 13/58 and they can been seen attempted to download a component from:

ahlbrandt.eu/IUGiwe8?
fulcar.info/p66/IUGiwe8
accuflowfloors.com/IUGiwe8?
aetozi.gr/IUGiwe8?
agricom.it/IUGiwe8?


An executable is dropped (Locky ransomware) with a detection rate of 18/64. Although Hybrid Analysis [1] [2] clearly shows the ransomware, no C2s are currently available (it turns out there aren't any).

UPDATE - additional download locations:
81552.com/IUGiwe8
adr-werbetechnik.de/IUGiwe8
afmance.it/IUGiwe8
afradem.com/IUGiwe8
agriturismobellaria.net/IUGiwe8
agro-kerler.de/IUGiwe8
moonmusic.com.au/IUGiwe8

Monday 18 September 2017

Malware spam: "Status of invoice" with .7z attachment

This spam leads to Locky ransomware:

Subject:       Status of invoice
From:       "Rosella Setter" ordering@[redacted]
Date:       Mon, September 18, 2017 9:30 am

Hello,

Could you please let me know the status of the attached invoice? I
appreciate your help!

Best regards,

Rosella Setter

Tel: 206-575-8068 x 100

Fax: 206-575-8094

*NEW*   Ordering@[redacted].com

* Kindly note we will be closed Monday in observance of Labor Day *


The name of the sender varies. Attached is a .7z arhive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename (examples here and here).


Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:





yildizmakina74.com/87thiuh3gfDGS?
miliaraic.ru/p66/87thiuh3gfDGS?
lanzensberger.de/87thiuh3gfDGS?
web-ch-team.ch/87thiuh3gfDGS?
abelfaria.pt/87thiuh3gfDGS?

An executable is dropped with a detection rate of 19/64 which Hybrid Analysis shows is phoning home to:

91.191.184.158/imageload.cgi (Monte Telecom, Estonia)
195.123.218.226/imageload.cgi (Layer 6, Bulgaria)


.7z files are popular with the bad guys pushing Locky at the moment. Blocking them at your mail perimiter may help.

Recommended blocklist:
195.123.218.226
91.191.184.158



Wednesday 6 September 2017

QTUM Cryptocurrency spam

This spam email appears to be sent by the Necurs botnet, advertising a new Bitcoin-like cryptocurrency called QTUM. Necurs is often used to pump malware, pharma and data spam and sometimes stock pump and dump.

There is no guarantee that this is actually being sent by the people running QTUM, it could simply be a Joe Job to disrupt operations. Given some of the wording alluding to illegal marketplaces, I suspect this could be the case.

Subject:       Qtum Main Network Launches September 13th, 2017
From:       "Lou Roberson"
Date:       Wed, September 6, 2017 6:37 am
Priority:       Normal


The Blockchain Made Ready for Business
Build Anonymous Decentralized Applications that Simply Work
Executable on mobile devices, compatible with major existing blockchain
ecosystems
TESTNET NOW LIVE!
   
    About
     
The Qtum Foundation is a Singapore based entity that promotes
adoption of the Qtum Blockchain. Project inception began in
March 2016, leading up to a successful crowdsale a year later.
Over 10,000 BTC and 72,000 ETH were raised in less than 5 days,
making Qtum one of the largest crowdfunded projects in history,
at $15.6 million dollars.

Investors received 51,000,000 Qtum tokens which will be
available for withdrawal on September 13, 2017.


The Qtum Foundation plans to be the anonymous blockchain for
business. Development efforts will allow us to market this
platform tovarious industries, such as: Mobile
Telecommunications, Counterfeit Protection, Finance, Industrial
Logistics (shipping, warranty,etc), Manufacturing, P2P Anonymous
Transfers and Anonymous Market Management from phone.
Build anonymous decentralized applications you can trust
     
Smart Contracts that Mean Business
Qtum makes it easier than ever for established sectors and
legacy institutions to interface with blockchain technology.
Create your own tokens, automate supply chain management and
engage in self-executing agreements in a standardized
environment, verified and tested for stability.

   
    Specification

    Total QTUM Supply: 100,000,000
    Block Target: 128 seconds
    Stake Return: ~4 QTUM
    Algorithm: SHA256

     
   
   
    QTUM SPARKNET
   
SPARKNET
          
Sparknet is designed primarily for developers, and as such
documentation at this point will be technical and suited more
for developers.  Testnet tokens do not hold any value and should
not be traded for any monetary instruments. The testnet can be
reset or forked at anytime as deemed necessary for development.

Forum Announcement:
https://bitcointalk.org/index.php?topic=1720632.4220

Release on github:
https://github.com/qtumproject/qtum/releases/tag/testnet-sparknet

Qtum Sparknet Usage and Information: Please see:
https://github.com/qtumproject/qtum/blob/testnet-1/doc/sparknet-guide.md
   
    QTUM SPYNET

Aug 15 The 2nd Qtum Test Network, Skynet, is now live: SKYNET
   
     
Qtum Skynet, the second public testnet for the Qtum blockchain.
All tokens aqcuired during the testnet will cease to exist 
when the mainnet is released which actually has tokens which
hold value. The purpose of the public testnet is to allow
developers to begin testing and developing applications, allow
early adopters to see a preview of how the network will behave,
and for the Qtum development team to run several load tests
which are not directly comparable when done on a private and
controlled network. Qtum Skynet will ideally have the same
consensus features and parameters as the Qtum mainnet.


Qtum Skynet Usage and Information:
Please see:
https://github.com/qtumproject/qtum/releases/tag/testnet-skynet
Please see:
https://github.com/qtumproject/qtum/releases/tag/testnet-skynet-v1.2

As soon as Main Network will be launched, you will be availaible
to build your own applications (DApps) or marketplaces. Fully
scalable and anonymous, so you can easy made any anonymous
marketplace which can be manage from your phone!

Just imagine, your own silkroad made on Qtum blockchain and
managed from your phone with fully anonymous transactions!

    No matter what kind of business you are building, all
transactions will be anonymous, and the network will never
reveal the ip addresses of the applications that are running
on it.

    Even if you sell weapons, drugs, trade in people and are
going to organize a coup d'?tat, you can be sure that you
will remain anonymous.

    Another thing is that it is illegal and sooner or later you
will receive the punishment that you deserve. But everyone
want to know how deep the rabbit hole goes.

    For our part, we can only provide a reliable, scalable and
anonymous ecosystem thanks to which any business can be
built on it and we guarantee that we will do everything
possible to make it sucesfull.

    We give you a choice - "blue pill or red pill"
       
        What Will your choice be?

    So, you have to prepare for Main Network launch  Qtum Custom
Token Walkthrough
   
    CROWDSALE
     
The QTUM token supply will be allocated as follows:

    - 51% of Qtum tokens (51,000,000) will be distributed
through the crowdsale
    - 20% of Qtum tokens (20,000,000 QTUM) will be distributed
among founders, early backers and the development team
    - 29% of Qtum tokens (29,000,000 QTUM) will be allocated to
community initiatives concerning business development, as
    well as academic research, education, and market expansion

For a more detailed overview of QTUM token allocation visit our
website: https://qtum.org/en/crowdsale#question-2
   
    Exchanges
     
Coinone:   https://coinone.co.kr/exchange/trade/qtum/
Yunbi: https://yunbi.com/markets/qtumcny
Bittrex: https://bittrex.com/Market/Index?MarketName=BTC-QTUM
https://bittrex.com/Market/Index?MarketName=ETH-QTUM
CHBTC: https://www.chbtc.com/qtum
BTER: https://bter.com/trade/qtum_cny
https://bter.com/trade/qtum_eth
https://bter.com/trade/qtum_btc

Yubi: https://www.jubi.com/coin/qtum/
Yuanbao:   https://www.yuanbao.com/trade/qtum2cny
Binance:   https://www.binance.com/trade.html?symbol=QTUM_ETH
Allcoin: https://allcoin.com/markets/QTUM-BTC/0/
BTC9: https://btc9.com/trade/22
Biduobao: https://www.biduobao.com/market-qtum.html
Liqui: https://liqui.io/#/exchange/QTUM_USDT
https://liqui.io/#/exchange/QTUM_ETH     
https://liqui.io/#/exchange/QTUM_BTC
Cryptopia: https://www.cryptopia.co.nz/Exchange?market=QTUM_BTC
COSS: https://exchange.coss.io/pair/qtum-eth
https://exchange.coss.io/pair/qtum-btc
HitBTC: https://hitbtc.com/exchange/QTUM-to-ETH/size
Novaexchange: https://novaexchange.com/market/BTC_QTUM/
   
    TEAM
   
   
     
See the full team at: https://qtum.org/en/team

    We are looking for developers to build the next generation
DApps on top of Qtum and invite you all to give our testnet
a try.

    We are always on the lookout to enrich our very talented
team, the next team member can be you!

    SEND YOUR RESUME TO OUR EMAIL: CAREERS@QTUM.ORG

    currently 4500+ Chinese community members

As far as I can see, there are no malicious links anywhere. This one can probably be marked down as an annoyance, and it should be easy enough to block or filter.

Tuesday 5 September 2017

Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Subject:       Scanning
From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date:       Thu, May 18, 2017 8:26 pm

https://dropbox.com/file/9A30AA
--
Jeanette Randels DipFA

Taylored Group
26 City Business Centre
Hyde Street
Winchester
SO23 7TA

Members of the CAERUS Capital Group

www.tayloredgroup.co.uk

Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@tayloredgroup.co.uk

Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited,
Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
and regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason Taylored
Financial Planning cannot guarantee the security of the email or its contents or
that it remains virus free once sent. This email message is strictly
confidential and intended solely for the person or organisation to who it is
addressed. It may contain privileged and confidential information and if you are
not the recipient, you must not copy, distribute or take any action in
reference to it. If you have received this email in error, please notify us as
soon as possible and delete the message from your system. 
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6]  shows Locky ransomware attempting to phone home to the following locations:

91.234.35.170/imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75/imageload.cgi (McHost.ru / VDSINA, Russia)

McHost is such a well-known purveyor of toxic crap that I recommend you block all of their ranges (plus I guess the related VDSINA ones), or even block the entire Webzilla AS35415. You can find a list of the network ranges here. Also thehost.ua also has a lot of crap and I would lean towards blocking whole network ranges.

Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24